September 03, 2007

To WEP or not to WEP. That is the question!

The summer period goes by after the common hacking conferences: BlackHat, Defcon, and the addition of CCC this year. As always, be ready to dig through the archives! Unfortunately, I couldn't make it this year, however, as I couldn't go to Defcon, (part of) Defcon came to me :)

I love wireless security and stay up-to-date and go in-depth over the latest wireless security news, events and research, so that every time I teach "Security 617: Assessing and Securing Wireless Networks", and although this SANS course is wisely and thoroughly uptated quarterly by Josh, students can get the most cutting-edge information from the course.

I would have never though 2007 was going to be the year of WEP (again). To me WEP was dead, but it seems there are different levels of death, and WEP seems to be a kind of zombie. On April this year, the aircrack-ptw research and tool was released, speeding up the statistical WEP cracking process to less than a minute.

On March a new WEP cloaking technology was announced by AirDefense to protect the old legacy WEP-based wireless networks, such as those used by retailers and merchants in their WiFi PoS (point of sale) devices to process credit cards, and that lead to the biggest public theft of credit-card numbers in history during 18 months: the famous TJX case.

There was some initial discussion in the SecurityFocus (SF) wireless security mailing list, and some follow up Blog posts from other major wireless seurity vendors, like Aruba. Although AirDefense clarified that WEP Cloaking is not an exclusive protection mechanism, but part of their defense-in-deth strategy, the big debate is: Does it have sense to promote and perpetuate a vulnerable technology like WEP?... or should we turn the page and directly jump or migrate to WPA/WPA2?

During Defcon, Vivek Ramachandran senior wireless security researcher from AirTight Networks, presented "The Emperor Has No Cloak – WEP Cloaking Exposed" (long/technical, or short/humorous versions). AirTight performed an in-depth research about general WEP Cloaking (or Chaffing, as they call it) scenarios encouraged by the initial NetworkWorld announcement.

Update: The Defcon 15 video for the presentation is available here.

The research was not focused on the AirDefense solution in particular, but created different generic and academic scenarios "protected" by a WEP chaffing solution and demonstrated they can be hacked. Between other reasons, they could not analyze their competitor solution because we have been uncapable of getting a wireless traffic capture sample from a network with WEP Cloaking capabilities. We requested it through the SF mailing list, and the aircrack people asked for it again during Defcon, without success.

They basically simulated four different WEP Cloaking (or Chaffing) scenarios, where the IPS (or WEP chaffing device) generates: random traffic, traffic encrypted with a single key, multiples keys or random keys.

The main strategy to attack this type of protection mechanism is to be able to differentiate the valid traffic coming from the wireless network, and generated by the AP, from the artificial or fake traffic injected to confuse WEP cracking tools, and generated by the IPS. They mainly implemented three methods to separate the valid traffic from the fake traffic:
  • Visual user inspection: Hey, we're still more smart than computers!
  • Filtering traffic based on IV's and sequence numbers: This is one of the main methods we all thought about when we got the initial announcement. It works because sequence numbers are incremented... sequentially, and the same applies to the IV field in some WEP implementations. Some others do not (like Cisco), but most of the legacy WEP devices use sequential IV's.
  • Through the usage of active packet replaying (ala chop-chop): The AP is your friend! Why not using it to acknowledge valid packets and discriminate them from fake traffic?
Some videos containing similar demos as the ones Vivek showed during the Defcon presentation are linked above, in the visual inspection and sequence number analysis techniques, plus one showing common WEP key statistics when fake traffic is inserted and how the default aircrack-ng fails cracking the WEP key in the presence of fake traffic.

One of the methods not exposed by this research was the usage of signal strength (RSSI) or bit rate (Mbps) to help discriminating AP traffic from IPS traffic. It seems they run some lab tests, and came to the conclusion that is not a very reliable method due to the significant variations associated to the unpredictable radio frequency behaviour, and the AP's and client drivers changing the bit rate sporadically. I guess further research in this filed could help, unless the AP and IPS are in the same location and use the same TX power and antennas.

Unfortunately, the WEP chaffing tools they used and the modifications they implemented in aircrack-ng are not widely available. However, the aircrack-ng people are working on adding these capabilities to the standard suite, ala "--wep-cloaking" option, although they are not available yet in the current SVN version (0.9.2 revision 680).

Although the migration of large legacy WEP environments, whose wireless devices cannot support WPA/WPA2, can be expensive and not easy, sorry, but IMHO it is the only way to go. Even in the theoretical case the WEP Cloaking technology would work (do you still think so ;)), there are other WEP-based attacks that are not mitigated by it, like chop-chop, WEP packet replay, PRGA determination, etc. Anyway, if you still think WEP Cloaking can effectively work, they did issue an open challenge at the end of the presentation for anyone interested in demonstrating that his WEP solution is unbreakable.

As an independent security consultant I'm vendor agnostic respect the different WIDS vendors mentioned in this post, and think that the best recommendation is to establish an aggressive migration path from WEP to WPA2, and meanwhile, apply defense-in-depth principles, with a robust detection and prevention WiFi layer to detect and react to attacks in almost realtime. The solution must provide triangulation capabilities to locate where the attacker could be: follow the signal! :)

Once again, what else do you need to move out from WEP? I'm afraid we'll be talking about WEP again during the coming months :(

P.S: Thanks to Della Lowe and Vivek Ramachandran for bringing to me part of Defcon, all the details about their research, and for answering all my questions.

Labels:

0 Comments:

Post a Comment

<< Home